Microsoft rolls out emergency fix for dangerous ‘acropalypse’ flaw
Microsoft has moved quickly to fix the worrying “Amputes” bug we reported earlier this week — a bug that allowed the Windows Screen Snipping Tool to recover information cropped from images.
according to Beep computer (opens in a new tab), Microsoft has released an OOB (out-of-band or emergency) update to fix this issue, with technical number CVE-2023-28303. As you might expect, Microsoft recommends that users apply the update as early as possible.
Applying updates isn’t difficult at all: In the Microsoft Store, click the library icon on the left, then select Get Updates (top right). This should force the patch to be applied if it wasn’t already installed automatically.
The bug is similar to the one affecting tagging on Google Pixel phones, meaning that cropped images and screenshots in the Windows 11 Snipping Tool and Windows 10 Snipping and Sketching Tool may be affected.
Essentially, the CVE-2023-28303 vulnerability means that the cropped portion of a PNG or JPEG image is not properly removed from the file after it is saved again. These cropped sections may contain sensitive information, such as bank account details or medical records.
It’s important to note that applying the patch will not fix any files that have already been cropped, only future edits. You will need to recrop any existing images to ensure that the excess parts of the picture have been properly removed.
Analysis: Quick Fixes for Worrying Bugs
At first, the chance to restore cropped parts of an image doesn’t seem like a particularly dire security hole — after all, who cares if someone manages to restore that empty sky you’ve deleted from a vacation photo?
There are many reasons why images are cropped, and tech journalists are well aware of them. Personal information such as email addresses, bank account numbers and contact names need to be removed from images before they can be widely shared on the internet.
With so many of us sharing so many photos with other people and across the web, it’s critical from a security standpoint that those images don’t reveal more than we want – this is a CVE – An issue for 2023 – 28303.
Microsoft has at least moved quickly to test the fix and then apply it — but worryingly, the same bug has popped up in Microsoft and Google software entirely independently in recent days.